Australian small-to-medium enterprises (SMEs) face mounting challenges as privacy compliance and data breach risks in Australia continue to rise.
The long-standing “small business exemption” under the Privacy Act 1988 (Cth) is narrowing, while regulators and consumers increasingly expect stronger safeguards for personal information. For SMEs, retrofitting protections after a breach is no longer sustainable – both financially and reputationally.
This article, written by our privacy law and small business law teams explores how Australian SMEs can embed Privacy by Design into their systems and processes to meet Australian Privacy Principles (APPs), prevent data breaches, and transform compliance into a competitive advantage.
Key Takeaways
Build privacy in from the start: The APPs expect proactive, not retroactive, privacy measures.
Do not rely on the small business exemption: Regulators demand accountability, and duties of confidence may still apply.
Conduct Privacy Impact Assessments (PIAs): These ensure compliance and reduce risks before new projects launch.
Manage third-party risks contractually: Cloud providers and IT vendors must be bound by clear privacy obligations.
Prevention costs less than breaches: OAIC enforcement actions and real-world breach costs show PbD is more cost-effective.
Why Privacy by Design Matters for Australian SMEs
With privacy regulation tightening and cyber risks escalating, Australian SMEs face unique challenges embedding Privacy by Design (PbD) into everyday business practices.
PbD means building privacy controls into systems, products, and services from the outset (rather than bolting them on later).
While the Privacy Act 1988 (Cth) does not explicitly define PbD, its principles are reflected in the APPs, which require businesses to take “reasonable steps” to secure personal information.
Legal Tip: For SMEs, who now handle increasing amounts of sensitive data, the message is clear: prevention is cheaper and more effective than remediation.
SMEs Can No Longer Rely on the ‘Small Business Exemption’
Historically, many SMEs assumed the small business exemption shielded them from privacy obligations. But recent reforms and OAIC determinations such as Datateks Pty Ltd [2023] AICmr 97 and Pacific Lutheran College (Privacy) [2023] AICmr 98 prove otherwise.
In both cases, failures to embed PbD resulted in regulatory findings, reputational damage, and costly fallout. Even exempt businesses may still owe equitable duties of confidence, leaving them vulnerable if they mishandle personal information.
Bottom line: the exemption is no longer a safe harbour for SMEs. Proactive PbD demonstrates good faith compliance, reduces risks, and positions SMEs more favourably with regulators.
Why Privacy by Design Makes Sense for SMEs
SMEs often face:
Budget constraints
Limited internal expertise
Operational pressures
Yet, SMEs make up 98% of Australian businesses, and 97% employ fewer than 20 staff (See data source here). This means small breaches can have outsized financial and reputational consequences.
According to the OAIC, the average cost of a notifiable breach for an SME exceeds $150,000. PbD (implemented proportionately) can drastically reduce this exposure.
Closing the SME Privacy Knowledge Gap
The APPs are principles-based and flexible, but this flexibility creates uncertainty about compliance standards.
For SMEs without legal training, obligations may seem optional. This often leads to reactive compliance, particularly when relying on the small business exemption.
However, as shown by major breaches such as the Genea IVF ransomware attack (2025), even large, well-resourced organisations can struggle with compliance. SMEs must prioritise privacy literacy to avoid costly mistakes.
Minimum Privacy Standards for SMEs
Every SME should embed at least the following baseline PbD measures:
Conduct Privacy Impact Assessments (PIAs) before new projects.
Maintain a compliant privacy policy that is accessible and transparent.
Implement access controls and built-in security (encryption, MFA, role-based access).
Document an incident response plan aligned with the Notifiable Data Breaches (NDB) scheme.
Train staff regularly, with role-specific awareness programs.
These are scalable, achievable, and aligned with APP obligations, helping SMEs demonstrate they have taken “reasonable steps.”
Leveraging Built-In Security
Simple, low-cost technical safeguards can drastically reduce risks, such as:
Encryption
Multi-factor authentication (MFA)
Role-based access controls
Case in point:
Medibank (2022): Lacked MFA, resulting in a catastrophic breach affecting 9.7 million customers.
Qantas (2025): Implemented MFA early, limiting the scope of an attempted breach affecting a third-party platform.
Built-in information security isn’t optional, it’s a reasonable step under the APPs.
Strengthening Privacy Through Policies and Contracts
SMEs face some of the greatest privacy risks in three common areas:
Privacy policies (APP 1.4): Must clearly explain data collection, storage, use, and rights. Outdated or deceptive consent mechanisms risk breaching both the APPs and the Spam Act 2003 (Cth).
Legacy systems: Outdated IT infrastructure magnifies risks. SMEs should update, patch, or replace legacy systems, or apply interim safeguards.
Third-party contracts: SMEs often outsource IT and cloud services without proper contractual protections. OAIC cases against 7-Eleven and Bunnings show how poor governance and inadequate oversight can still breach APPs.
Empowering Staff and Planning for Incidents
Human error remains one of the biggest risks. SMEs should:
Deliver mandatory, role-specific privacy training at least quarterly.
Maintain a tested incident data breach response plan, aligned with OAIC and ACSC guidance.
For Australian SMEs, Privacy by Design is not optional. It is:
A legal obligation under the APPs
A strategic risk management tool
A trust-building measure with consumers
Even modest, staged adoption significantly reduces risks and costs. The question is no longer can SMEs afford PbD? – but rather, can they afford not to implement it?
Frequently Asked Questions
Do SMEs need a dedicated privacy officer?
Not legally, but strongly recommended. Assign responsibility for PIAs, staff training, vendor oversight, and breach response.
What about overseas cloud providers?
SMEs wanting to use overseas cloud providers should conduct due diligence, implement strong contracts (security, breach notification, data minimisation), and consider encryption or localisation.
How long should personal information be kept?
Only as long as lawfully required. Maintain a retention schedule and securely destroy or de-identify data when no longer needed.
Do employee records fall outside the Privacy Act?
The employee records exemption is limited. It does not cover contractors, job applicants, or all contexts. Best practice: apply PbD to all staff information.
When must a data breach be reported?
If unauthorised access, disclosure, or loss of personal information is likely to cause serious harm, notification to the OAIC and affected individuals is required within 30 days from the breach.
